Weekly Vulnerabilities Reports > December 23 to 29, 2013

Overview

60 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 60 products from 42 vendors including Redhat, Typo3, Ffmpeg, Fedoraproject, and XEN. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Cryptographic Issues", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 48 reported vulnerabilities are remotely exploitables.
  • 17 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 48 reported vulnerabilities are exploitable by an anonymous user.
  • Redhat has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-12-29 CVE-2013-6189 HP Unspecified vulnerability in HP Application Information Optimizer

Unspecified vulnerability in the Archive Query Server in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, and 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1666.

10.0
2013-12-26 CVE-2013-7217 Zimbra Security vulnerability in Zimbra Collaboration Server

Unspecified vulnerability in Zimbra Collaboration Server 7.2.5 and earlier, and 8.0.x through 8.0.5, has "critical" impact and unspecified vectors, a different vulnerability than CVE-2013-7091.

10.0
2013-12-29 CVE-2013-3846 Microsoft Resource Management Errors vulnerability in Microsoft Internet Explorer 10/9

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted CSpliceTreeEngine::InsertSplice object in an HTML document, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3143 and CVE-2013-3161.

9.3
2013-12-27 CVE-2010-1819 Apple Unspecified vulnerability in Apple Quicktime

Untrusted search path vulnerability in the Picture Viewer in Apple QuickTime before 7.6.8 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) CoreVideo.dll, (2) CoreGraphics.dll, or (3) CoreAudioToolbox.dll that is located in the same folder as a .pic image file.

9.3
2013-12-24 CVE-2013-6795 Rackspace Code Injection vulnerability in Rackspace Openstack Windows Guest Agent 1.2.5.0

The Updater in Rackspace Openstack Windows Guest Agent for XenServer before 1.2.6.0 allows remote attackers to execute arbitrary code via a crafted serialized .NET object to TCP port 1984, which triggers the download and extraction of a ZIP file that overwrites the Agent service binary.

9.3
2013-12-23 CVE-2013-6439 Redhat Improper Authentication vulnerability in Redhat Subscription Asset Manager

Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3 uses a weak authentication scheme when the configuration file does not specify a scheme, which has unspecified impact and attack vectors.

9.3

8 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-12-28 CVE-2013-6932 Irfanview Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Irfanview

Buffer overflow in IrfanView before 4.37, when a multibyte-character directory name is used, allows user-assisted remote attackers to execute arbitrary code via a crafted file that is incorrectly handled by the Thumbnail tooltips feature in the Thumbnails window.

7.6
2013-12-28 CVE-2013-7149 Openx
Revive Adserver
SQL Injection vulnerability in multiple products

SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method.

7.5
2013-12-24 CVE-2013-7216 Etoshop SQL Injection vulnerability in Etoshop Classifieds Creator 2.0

Multiple SQL injection vulnerabilities in Classifieds Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to demo/classifieds/product.asp, or (2) UserID or (3) Password field to demo/classifieds/admin.asp.

7.5
2013-12-23 CVE-2013-4461 Redhat SQL Injection vulnerability in Redhat Enterprise MRG 2.4

SQL injection vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to execute arbitrary SQL commands via vectors related to the "filtering table operator."

7.5
2013-12-27 CVE-2010-0430 Redhat Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat Enterprise Virtualization Hypervisor

libspice, as used in QEMU-KVM in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H or rhev-hypervisor) before 5.5-2.2 and possibly other products, allows guest OS users to read from or write to arbitrary QEMU memory by modifying the address that is used by Cairo for memory mappings.

7.4
2013-12-28 CVE-2013-6886 Realvnc
Apple
Linux
Permissions, Privileges, and Access Controls vulnerability in Realvnc 5.0.6

RealVNC VNC 5.0.6 on Mac OS X, Linux, and UNIX allows local users to gain privileges via a crafted argument to the (1) vncserver, (2) vncserver-x11, or (3) Xvnc helper.

7.2
2013-12-28 CVE-2013-6182 EMC Local Privilege Escalation vulnerability in EMC Replication Manager Unquoted File Paths

Unquoted Windows search path vulnerability in EMC Replication Manager before 5.5 allows local users to gain privileges via a crafted application in a parent directory of an intended directory.

7.2
2013-12-23 CVE-2013-3709 Novell
Suse
Permissions, Privileges, and Access Controls vulnerability in multiple products

WebYaST 1.3 uses weak permissions for config/initializers/secret_token.rb, which allows local users to gain privileges by reading the Rails secret token from this file.

7.2

40 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-12-24 CVE-2013-6403 Owncloud Permissions, Privileges, and Access Controls vulnerability in Owncloud

The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.

6.8
2013-12-23 CVE-2013-7102 Optimizepress Improper Input Validation vulnerability in Optimizepress 1.60

Multiple unrestricted file upload vulnerabilities in (1) media-upload.php, (2) media-upload-lncthumb.php, and (3) media-upload-sq_button.php in lib/admin/ in the OptimizePress theme before 1.61 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images_comingsoon, images_lncthumbs, or images_optbuttons in wp-content/uploads/optpress/, as exploited in the wild in November 2013.

6.8
2013-12-23 CVE-2013-4405 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat Enterprise MRG 2.4

Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allow remote attackers to hijack the authentication of cumin users for unspecified requests.

6.8
2013-12-28 CVE-2013-6929 Cybozu SQL Injection vulnerability in Cybozu Garoon 3.7

SQL injection vulnerability in Cybozu Garoon 3.7 SP2 and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted API input.

6.5
2013-12-23 CVE-2013-7075 Typo3 Cryptographic Issues vulnerability in Typo3

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature."

6.5
2013-12-23 CVE-2013-4404 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Enterprise MRG 2.4

cumin in Red Hat Enterprise MRG Grid 2.4 does not properly enforce user roles, which allows remote authenticated users to bypass intended role restrictions and obtain sensitive information or perform privileged operations via unspecified vectors.

6.5
2013-12-28 CVE-2013-6812 Nextdc Cryptographic Issues vulnerability in Nextdc Onedc 1.51/1.7

The ONEDC app before 1.7 for iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.8
2013-12-28 CVE-2013-6006 Cybozu Improper Authentication vulnerability in Cybozu Garoon 3.5/3.5.3/3.7

Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request.

5.8
2013-12-23 CVE-2013-7080 Typo3 Unspecified vulnerability in Typo3

The creating record functionality in Extension table administration library (feuser_adminLib.inc) in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, and 6.0.0 through 6.0.11 allows remote attackers to write to arbitrary fields in the configuration database table via crafted links, aka "Mass Assignment."

5.8
2013-12-23 CVE-2013-7079 Typo3 Improper Input Validation vulnerability in Typo3

Open redirect vulnerability in the OpenID extension in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2013-12-27 CVE-2011-2519 XEN
Redhat
Null Pointer Dereference vulnerability in multiple products

Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction.

5.5
2013-12-28 CVE-2013-6981 Cisco Improper Input Validation vulnerability in Cisco IOS XE

Cisco IOS XE 3.7S(.1) and earlier allows remote attackers to cause a denial of service (Packet Processor crash) via fragmented MPLS IP packets, aka Bug ID CSCul00709.

5.4
2013-12-23 CVE-2013-6979 Cisco Improper Authentication vulnerability in Cisco IOS XE

The VTY authentication implementation in Cisco IOS XE 03.02.xxSE and 03.03.xxSE incorrectly relies on the Linux-IOS internal-network configuration, which allows remote attackers to bypass authentication by leveraging access to a 192.168.x.2 source IP address, aka Bug ID CSCuj90227.

5.4
2013-12-29 CVE-2013-6197 HP Unspecified vulnerability in HP products

Unspecified vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote authenticated users to execute arbitrary code via unknown vectors.

5.2
2013-12-24 CVE-2013-4554 XEN Permissions, Privileges, and Access Controls vulnerability in XEN

Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2.

5.2
2013-12-24 CVE-2013-4553 XEN Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in XEN

The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock).

5.2
2013-12-24 CVE-2013-4550 Fedoraproject
Duckcorp
Cryptographic Issues vulnerability in multiple products

Bip before 0.8.9, when running as a daemon, writes SSL handshake errors to an unexpected file descriptor that was previously associated with stderr before stderr has been closed, which allows remote attackers to write to other sockets and have an unspecified impact via a failed SSL handshake, a different vulnerability than CVE-2011-5268.

5.1
2013-12-24 CVE-2012-6616 Ffmpeg Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg

The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via crafted 3GPP TS 26.245 data.

5.0
2013-12-24 CVE-2013-4358 Ffmpeg Out-of-bounds Memory Access vulnerability in FFmpeg 'libavcodec'

libavcodec/h264.c in FFmpeg before 0.11.4 allows remote attackers to cause a denial of service (crash) via vectors related to alternating bit depths in H.264 data.

5.0
2013-12-23 CVE-2013-6890 Debian
Fedoraproject
Phil Schwartz
Improper Authentication vulnerability in multiple products

denyhosts 2.6 uses an incorrect regular expression when analyzing authentication logs, which allows remote attackers to cause a denial of service (incorrect block of IP addresses) via crafted login names.

5.0
2013-12-23 CVE-2013-4549 Digia
QT
Improper Input Validation vulnerability in multiple products

QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack.

5.0
2013-12-23 CVE-2013-2629 Idleman Improper Input Validation vulnerability in Idleman Leed 1.4

Leed (Light Feed), possibly before 1.5 Stable, allows remote attackers to bypass authorization via vectors related to the (1) importForm, (2) importFeed, (3) addFavorite, or (4) removeFavorite actions in action.php.

5.0
2013-12-23 CVE-2013-7081 Typo3 Permissions, Privileges, and Access Controls vulnerability in Typo3

The (old) Form Content Element component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated editors to generate arbitrary HMAC signatures and bypass intended access restrictions via unspecified vectors.

4.9
2013-12-23 CVE-2013-5973 Vmware Permissions, Privileges, and Access Controls vulnerability in VMWare ESX and Esxi

VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp filename.

4.4
2013-12-29 CVE-2013-6198 HP Cross-Site Scripting vulnerability in HP products

Cross-site scripting (XSS) vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-12-29 CVE-2013-5583 Joomla Cross-Site Scripting vulnerability in Joomla Joomla! 3.1.5

Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

4.3
2013-12-29 CVE-2013-2504 Matrix42 Cross-Site Scripting vulnerability in Matrix42 Service Store 5.3

Cross-site scripting (XSS) vulnerability in SPS/Portal/default.aspx in Service Desk in Matrix42 Service Store 5.3 SP3 (aka 5.33.946.0) allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3
2013-12-28 CVE-2013-6808 Zend Cross-Site Scripting vulnerability in Zend Zendto

Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in ZendTo before 4.11-13 allows remote attackers to inject arbitrary web script or HTML via a modified emailAddr field to pickup.php.

4.3
2013-12-28 CVE-2013-1096 Novell Cross-Site Scripting vulnerability in Novell Identity Manager Roles Based Provisioning Module 4.0.2

Cross-site scripting (XSS) vulnerability in the Roles Based Provisioning Module 4.0.2 before Field Patch D for Novell Identity Manager (aka IDM) allows remote attackers to inject arbitrary web script or HTML via a taskDetail taskId.

4.3
2013-12-27 CVE-2013-2179 X Cryptographic Issues vulnerability in X Display Manager 1.1.10/1.1.11

X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when performing authentication using certain implementations of the crypt API function that can return NULL, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by attempting to log into an account whose password field contains invalid characters, as demonstrated using the crypt function from glibc 2.17 and later with (1) the "!" character in the salt portion of a password field or (2) a password that has been encrypted using DES or MD5 in FIPS-140 mode.

4.3
2013-12-24 CVE-2013-6388 Drupal Cross-Site Scripting vulnerability in Drupal

Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.

4.3
2013-12-24 CVE-2012-6617 Ffmpeg Unspecified vulnerability in Ffmpeg

The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format.

4.3
2013-12-24 CVE-2012-6615 Ffmpeg Unspecified vulnerability in Ffmpeg

The ff_ass_split_override_codes function in libavcodec/ass_split.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a subtitle dialog without text.

4.3
2013-12-24 CVE-2011-5268 Duckcorp
Fedoraproject
Cryptographic Issues vulnerability in multiple products

connection.c in Bip before 0.8.9 does not properly close sockets, which allows remote attackers to cause a denial of service (file descriptor consumption and crash) via multiple failed SSL handshakes, a different vulnerability than CVE-2013-4550.

4.3
2013-12-23 CVE-2013-7049 ZNC Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ZNC Znc-Msvc

Stack-based buffer overflow in fish.cpp in the Fish plugin for ZNC, as used in ZNC for Windows (znc-msvc) 0.206 and earlier, allows remote attackers to cause a denial of service (crash) via a long string in a DH1080_INIT message.

4.3
2013-12-23 CVE-2013-4424 Redhat Cross-Site Scripting vulnerability in Redhat Jboss Enterprise Portal Platform 6.1.0

Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal component in Red Hat JBoss Portal 6.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-12-23 CVE-2013-6449 Openssl Cryptographic Issues vulnerability in Openssl

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

4.3
2013-12-23 CVE-2013-4414 Redhat Cross-Site Scripting vulnerability in Redhat Enterprise MRG 2.4

Cross-site scripting (XSS) vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to inject arbitrary web script or HTML via the "Max allowance" field in the "Set limit" form.

4.3
2013-12-23 CVE-2013-7073 Typo3 Permissions, Privileges, and Access Controls vulnerability in Typo3

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 does not check permissions, which allows remote authenticated editors to read arbitrary TYPO3 table columns via unspecified parameters.

4.0
2013-12-23 CVE-2013-6422 Debian
Canonical
Haxx
Improper Input Validation vulnerability in multiple products

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

4.0

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-12-23 CVE-2013-5420 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Security Access Manager for Enterprise Single Sign-On 8.2

The IMS server before Ifix 6 in IBM Security Access Manager for Enterprise Single Sign-On (ISAM ESSO) 8.2 allows remote authenticated users to read log files by leveraging helpdesk privileges for a direct request.

3.5
2013-12-24 CVE-2012-6618 Ffmpeg Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg

The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before 1.0.2, when running with certain -probesize values, allows remote attackers to cause a denial of service (crash) via a crafted MP3 file, possibly related to frame size or lack of sufficient "frames to estimate rate."

2.6
2013-12-28 CVE-2013-6181 EMC Cryptographic Issues vulnerability in EMC Watch4Net 6.0/6.1/6.2

EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.

2.1
2013-12-27 CVE-2013-2030 Openstack Permissions, Privileges, and Access Controls vulnerability in Openstack products

keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

2.1
2013-12-24 CVE-2013-6387 Drupal Cross-Site Scripting vulnerability in Drupal

Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.

2.1
2013-12-24 CVE-2013-4452 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Operations Network 3.1.2

Red Hat JBoss Operations Network 3.1.2 uses world-readable permissions for the (1) server and (2) agent configuration files, which allows local users to obtain authentication credentials and other unspecified sensitive information by reading these files.

2.1